RE: Xprobe 0.0.2 Released

From: Fernando Cardoso (fernando.cardoso@whatevernet.com)
Date: 10/25/01

Previous message: Ofir Arkin: "Xprobe 0.0.2 Released"
In reply to: Ofir Arkin: "Xprobe 0.0.2 Released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Fernando Cardoso" <fernando.cardoso@whatevernet.com>
To: <pen-test@securityfocus.com>
Subject: RE: Xprobe 0.0.2 Released
Date: Thu, 25 Oct 2001 14:44:35 +0100
Message-ID: <NLEALDDOMLPPILFMEEJAAECBCJAA.fernando.cardoso@whatevernet.com>

Just did a little hack on logic_tree.c in order to identify IBM OS/400.

Without this, xprobe would identify OS/400 boxes as "Novell (FreeBSD
4.3-current(?)". Main differences between Novell and OS/400:

- TTL is 128 for Novell and 64 for OS/400
- OS/400, as opposite to Novell, replies to ICMP Timestamp queries
- Every reply from OS/400 (echo or tstamp) is marked with TOS=32

I used the latter approach, since TTL can be deceptive with boxes many hops
away and Timestamp would require a new packet to be issued.

Use at your own risk :)

[root@brutus xprobe-0.0.2]# diff logic_tree.c
../xprobe-0.0.2patched/logic_tree.c
226a227,233
> if (icmpecho_res->ip->ip_tos == 0x20) {
> tree_message("TOS 32");
> fin_message("IBM OS/400");
> free_res(&icmpecho_res);
> free_res(&udp_res);
> return 38;
> } else {
230a238
> }

-- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso@whatevernet.com http://www.whatevernet.com/

_____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ---------------------------------------------------------------------

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

Previous message: Ofir Arkin: "Xprobe 0.0.2 Released"
In reply to: Ofir Arkin: "Xprobe 0.0.2 Released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: SMB-Link in Lotus Notes
... A presente mensagem pode conter informação considerada confidencial. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
RE: Novell NDS
... Does Novell still keep the NDS information in a hidden directory off of the root of SYS? ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
RE: Forwarding sniffed packets
... > Subject: Forwarding sniffed packets ... > This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... A presente mensagem pode conter informação considerada confidencial. ...
(Pen-Test)
Virtual Vault
... I wonder if someone has any more info about the Virtual Vault (actually the ... embedded Netscape Server) vulnerability found last month. ... A presente mensagem pode conter informação considerada confidencial. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)